Enforce Security - 802.1x

Jouni Malinen j at w1.fi
Thu Jan 15 17:55:23 EST 2015


On Thu, Jan 15, 2015 at 08:00:41PM +0100, Ben wrote:
> [WPA2 - EAP-TLS with integrated Radius & EAP Server ON]
> I am using hostapd for a long time and now I am testing multiple
> options, everything is working expect three things :
> 
> -I am seeing that Authentication Algorithm needs to be open for
> 802.1x so it seems that I need to use auth_alg=0 but it is only
> working with auth_alg=3.
> Is someone can explain to me why ? I think 3 would be to accept both
> (802.1x and Shared key), but I would like to force it to 802.1x
> only..

# Bit fields of allowed authentication algorithms:
# bit 0 = Open System Authentication
# bit 1 = Shared Key Authentication (requires WEP)
auth_algs=3

Please note that "bit 0" = 1 and "bit 1" = 2. In other words, you should
really use auth_algs=1 with WPA2-Enterprise. auth_algs=3 will work as
well, since you cannot really use Shared Key Authentication with WPA2.

> -i80211w : I am able to join my network through an Android but
> impossible with an iPhone, anyone had been able to test it and make
> it work?

Which iOS version are you using?

> As soon as I required it (ieee8021w=2) I am get into an issue to
> connect (log saying that I am authenticated but no more message
> after this)

Which wpa_key_mgmt value did you use with ieee80211w=2? WPA-EAP-SHA256
is the only option I'd expect to work here robustly.

> -Someone can explain to me the role of Key Management Algorithms?
> I am trying to change from WPA-EAP to WPA-EAP-SHA256 but as soon as
> I do that my computer being confused and detects my wireless network
> as a normal WPA2 network and not a 802.1x anymore...
> Is there pre-requesite to make it work properly?

What WLAN component and software do you use on your computer in this
case? There are number of deployed devices that have had issues with
either multiple AKMs or PMF getting enabled.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list